We are going to discuss using user passwords with IdentityServer4 based on our existing projects from my last post. You can find the solution source at my Github Repository.

2. Modify Identity Server Application

Before modifying our code, let’s check the authentication type in our last post.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

publicstaticIEnumerable GetClients()

{

returnnewList

{

newClient

{

ClientId="client",

// no interactive user, use the clientid/secret for authentication

AllowedGrantTypes=GrantTypes.ClientCredentials,

// secret for authentication

ClientSecrets=

{

newSecret("secret".Sha256())

},

// scopes that client has access to

AllowedScopes={"api1"}

}

};

}

We set the grant type as Client Credentials, This is the simplest grant type and is used for server to server communication. In IdentityServer4, there are many other powerful types supported, please click here to have a check.

In this update, we create new method “GetClients2”, using grant type as “ResourceOwnerPassword“. (Hold, we will update the code later.)

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

publicstaticIEnumerable GetClients2()

{

returnnewList

{

newClient

{

ClientId="ro.client",

AllowedGrantTypes=GrantTypes.ResourceOwnerPassword,

ClientSecrets=

{

newSecret("secret".Sha256())

},

AllowedScopes={"api1"}

}

};

}

Compared with Client Credentials, ResourceOwnerPassword has a username & password checking based on client secret checking. In order to login into the Identity Server, firstly, you need tell the server what “client” you are. For example, we need to login to Facebook from Facebook Mobile App, we need tell Facebook Server we are logging by mobile app client, instead of web app client. By giving the client id and client secret, the server will understand the client identity and deal with the request with certain patterns.

In order to login into the Identity Server, firstly, you need tell the server what “client” you are. For example, we need to login to Facebook from Facebook Mobile App, we need tell Facebook Server we are logging by mobile app client, instead of web app client. By giving the client id and client secret, the server will understand the client identity and deal with the request with certain patterns. What is more, IdentityServer can specify the allow scope for the client connection, which can benefit the application user groups, like the normal users, admin users.

After the server shakes hand with a client with the right client id and secret, the client needs to give the correct username and password to get the connection. This password step is very easy to understand.

Now, let’s update our Server code, the code has no big difference from the official website, you can read more in the link in the top of this page.

Add these code to your Config.cs file in your IdentyServer4_Server porject. We are adding the new users with password and the client set up.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

publicstaticIEnumerable GetClients2()

{

returnnewList

{

newClient

{

ClientId="ro.client",

AllowedGrantTypes=GrantTypes.ResourceOwnerPassword,

ClientSecrets=

{

newSecret("secret".Sha256())

},

AllowedScopes={"api1"}

}

};

}

publicstaticList GetUsers()

{

returnnewList

{

newTestUser

{

SubjectId="1",

Username="alice",

Password="password"

},

newTestUser

{

SubjectId="2",

Username="bob",

Password="password"

}

};

}

Now, in your Startup.cs file, modify the ConfigureServices method.

1

2

3

4

5

6

7

8

9

10

11

publicvoidConfigureServices(IServiceCollection services)

{

// Add framework services.

services.AddIdentityServer()

.AddTemporarySigningCredential()

.AddInMemoryApiResources(Config.GetApiResources())

//.AddInMemoryClients(Config.GetClients())

.AddTestUsers(Config.GetUsers())

.AddInMemoryClients(Config.GetClients2());

services.AddMvc();

}

Notice here, we comment out the

1

AddInMemoryClients(Config.GetClients())

instead, we are using the our new client setup.

1

.AddInMemoryClients(Config.GetClients2());

1

Ihave tried toleave both of the client setups there,andit seems notworking!.The later setup will overwrite the former one!

3. Modify Client Console App

Open the Program.cs file in the console client. Modify your Main method and add another CallAPIAsyncUsingPassword method. It should be like the codes below.

In this file, we use the new method to call the server using the user name password. As we discussed above, before using the password, we need to use the client id and secret to talk with the server to get the token.